It is forbidden to splice SQL in code

1.  String manipulation It's easier to make mistakes .

2. sql sentence It inevitably appears in the code , Can't sit on the separation of code and data . Code readability is reduced .

3.  efficiency . In many cases, you need to execute the same sentence multiple times sql sentence , But the parameters are different . If you use PreparedStatement(Java), You only need to compile at the first execution sql sentence , After that, the execution efficiency can be improved .

4. If string operations are used in the code to splice sql sentence , Then it is impossible to find sql Statement error . If you use the method provided by the class library to set parameters , You can set the type of parameters at compile time .

5. If you want to modify it later sql sentence , such as where Add one more condition to the condition , Or to optimize performance, change the order of filter conditions , At this time, you will find that string splicing is a disaster , Especially in sql When the sentences are complicated ( Nested , Multiple tables intersect ).

6.  Security . String splicing sql Statements are vulnerable to sql Injection attack .

SQL Injection is a common attack against database . In this way of attack , The attacker will insert some malicious code into the string . Then the string will be passed to SQLServer Analysis and execution in the instance of database . As long as the malicious code matches SQL Rules for statements , When the code is compiled and executed , Will not be found by the system . thus it can be seen SQL The harm of injection attack is great .

prevent SQL Inject ：

　 On the whole , prevention and cure SQL There are two methods for injection attack , First, strengthen the inspection and verification of user input ; The second is to force the use of parameterized statements to pass user input .

For example, we used to use ：

insert into test values('"+id+"','"+name+"');

Now it can be changed to ：

           string cmd = "insert into test values(@id,@name)";
            MySqlParameter[] paras ={undefined
                                       new MySqlParameter("@id",MySqlDbType.String),
                                       new MySqlParameter("@name",MySqlDbType.String)
                                   };
            paras[0].Value = ID;

            paras[1].Value = Name;

Parameterized sql The only disadvantage of the statement is the problem of occupying system resources , Because it is something that has been precompiled long ago , So the system is directly used when calling .

But compared with the direct splicing SQL sentence . The advantages outweigh the disadvantages .

7. It can be reconstructed later ？ Why not change it now , The earlier the change, the less the cost .

=================

Simply put, it is to put , Put this +++++ Get rid of , Very irregular and unsafe , Switch to SqlParameter

=================

sql Injection is a popular vulnerability in the last century ,

Now there are sql Inject vulnerabilities , You will be laughed at by your peers Took a rough look , Variables are all numeric types , There should be no injection problem Or use it sqlparameter Well , Be normal , Don't worry about injection , Thorough solution .

in addition , I do not know! sqlserver What about? , stay oracle in , When it comes to performance . If parameterized sql, Every time it is sent to the database sql If it has been compiled , Then it will not be recompiled next time , Just pass different parameters to the database server ; And if you splice variable values into sql in , Then each time it is transmitted to the database server sql The probability of statement repetition is very low , The database server compiles every time , Cause performance degradation .